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, , , Abstract. The size-change abstraction (SCA) is an important program 

C^ ' abstraction for termination analysis, which has been successfully imple- 

mented in many tools for functional and logic programs. In this paper, 
we demonstrate that SCA is also a highly effective abstract domain for 
fT^ ' the bound analysis of imperative programs. 

^SJ I We have implemented a bound analysis tool based on SCA for imperative 

programs. We abstract programs in a pathwise and context dependent 
manner, which enables our tool to analyze real-world programs effec- 
tively. Our work shows that SCA captures many of the essential ideas of 
previous termination and bound analysis and goes beyond in a concep- 
C/3 ' tually simpler framework. 

1 Introduction 

>' 
(T^ ■ Computing sym.bolic bounds for the resource consumption of imperative pro- 

^D I grams is an active area of research |17I15I14I13I12I1J] . Most questions about 

^^ ■ resource bounds can be reduced to counting the number of visits to a certain 

: I program location 17 . Our research is motivated by the following technical chal- 

rn . lenges: 



(A) Bounds are often complex non-linear arithmetic expressions built from 
-|-,*,max etc. Therefore, abstract domains based on linear invariants (e.g. in- 
tervals, octagons, polyhedra) are not directly applicable for bound computation. 

(B) The proof of a given bound often requires disjunctive invariants that can 
^^ I express loop exit conditions, phases, and flags which affect program behav- 

$H ■ ior. Although recent research made progress on computing disjunctive invari- 

ants |17I14I27I8I5I29I1T| . this is still a research challenge. (Note that the domains 
mentioned in (A) are conjunctive.) 

(C) It is difficult to predict a bound in terms of a template with parameters 
because the search space for suitable bounds is huge. Moreover the search space 
cannot be reduced by compositional reasoning because bounds are global pro- 
gram properties. 

(D) It is not clear how to exploit the loop structure to achieve compositionality in 
the analysis for bound computation. This is in contrast to automatic termination 
analysis where the cutpoint technique [815] is used standardly. 
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In this paper we demonstrate that the size-change abstraction (SCA) by Lee 
et aL |24I4| is the right abstract domain to address these chahenges. SCA is a 
predicate abstraction domain that consists of (in)equahty constraints between 
integer-valued variables and boolean combinations thereof in disjunctive normal 
form (DNF). 

SCA is well-known to be an attractive abstract domain: First, SCA is rich 
enough to capture the progress of many real-life programs. It has been success- 
fully employed for automatic termination proofs of recursive functions in func- 
tional and declarative languages, and is implemented in widely used systems 
such as ACL2, Isabelle etc. t25,:.20,. Second, SCA is simple enough to achieve a 
good trade-off between expressiveness and complexity. For example, SCA ter- 
mination is decidable and ranking functions can be extracted on terminating 
instances in PSPACE j3]. The simplicity of SCA sets it apart from other disjunc- 
tive abstract domains used for termination/bounds such as transition predicate 
abstraction [28] and powerset abstract domains |17I5) . 

Our method starts from the observation that progress in most software de- 
pends on the linear change of integer- valued functions on the program state (e.g., 
counter variables, size of lists, height of trees, etc.), which we call norms. The 
vast majority of non-linear bounds in real-life programs stems from two sources 
- nested loops and loop phases - and not from inherent non-linear behavior as in 
numeric algorithms. For most bounds, we have therefore the potential to exploit 
the nesting structure of the loops, and compose global bounds from bounds on 
norms. Upper bounds for norms typically consist of simple facts such as size 
comparisons between variables and can be computed by classical conjunctive 
domains. SCA is the key to convert this observation into an efhcient analysis: 

(1) Due to its built-in disjunctiveness and the transitivity of the order relations, 
SCA is closed under taking transitive hulls, and transitive hulls can be efficiently 
computed. We will use this for summarizing inner loops. 

(2) We use SCA to compose global bounds from bounds on the norms. To 
extract norms from the program, we only need to consider small program parts. 
After the (local) extraction we have to consider only the size-change-abstracted 
program for bound computation. 

(3) SCA is the natural abstract domain in connection with two program trans- 
formations - pathwise analysis and contextualization - that make imperative 
programs more amenable to bound analysis. Pathwise analysis is used for rea- 
soning about complete program paths, where inner loops are overapproximated 
by their transitive hulls. Contextualization adds path-sensitivity to the analysis 
by checking which transitions can be executed subsequently. Both transforma- 
tions make use of the progress in SMT solver technology to reason about the 
long pieces of straight-line code given by program paths. 

Summary of our Approach. To determine how often a location I of program P can 
be visited, we proceed in two steps akin to [17j : First, we compute a disjunctive 
transition system T for I from P. Second, we use T to compute a bound on 
the number of visits to I. For the first step we recursively compute transition 
systems for nested loops and summarize them disjunctively by transitive hulls 



Example 1. 

void main (int n){ 
int i = ; int j ; 
li : while (i < n) { 
i++; j := 0; 
h: while((i < n) && ndet()){ 

i++; j++; } 
if (j > 0) 

i--; } } 




pi = i<nAi' = i + lAj' = 
p2 = i<nAi'— i + lAj'— j + 1 
p-i= j > Ai' = i~l 

P4=j<0 

ps =i>n 



Fig. 1. Example [T] with its (simplified) CFG and transition relations. 

computed with SCA. We enumerate all cycle-free paths from I back to I, and 
derive a disjunctive transition system T from these paths and the summaries 
of the inner loops using pathwise analysis. For the second step we exploit the 
potential of SCA for automatic bound computation by first abstracting T using 
norms extracted from the program and then computing bounds solely on the 
abstraction. We use contextualization to increase the precision of the bound 
computation. Our method thus clearly addresses the challenges (A) to (D) 
discussed above. In particular, we make the following new contributions: 

— We are the first to exploit SCA for bound analysis by using its ability of 
composing global bounds from bounds on locally extracted norms and dis- 
junctive reasoning. Our technical contributions are the first algorithm for 
computing bounds with SCA (Algorithmic]) and the disjunctive summariza- 
tion of inner loops with SCA (Algorithm [Ij . 

— We are the first to describe how to apply SCA on imperative programs. Our 
technical contributions are two program transformations: pathwise analysis 
(Subsection 15. 2p . which exploits the looping structure of imperative pro- 
grams, and contextualization (Subsection 16. 1|) . These program transforma- 
tions make imperative programs amenable to bound analysis by SCA. 

— We obtain a competitive bound algorithm that captures the essential ideas of 
earlier termination and bound analyses in a simpler framework. Since bound 
analysis generalizes termination analysis, many of our methods are relevant 
for termination. Our experimental section shows that we can handle a large 
percentage of standard C programs. We give a detailed comparison with 
related work on termination and bound analysis in Section [S] 

2 Examples 

We use two examples to demonstrate the challenges in the automatic genera- 
tion of transition systems and bound computation, and give an overview of our 
approach. In the examples, we denote transition relations as expressions over 
primed and unprimed state variables in the usual way. 

Example 1: Transition System Generation. Let us consider the source 
code of Example [T] together with its (simplified) CFG and transition relations 
in Figure [T] Computing a bound for the header of the outer loop h exhibits 
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The size-change abstractions of the transition 

relations: 

pi: / > OAs' > sAs' <255Ai' = Z 

P2: / > As' < s As' > AZ' = i 

P3 and ps: / > A Z' < i A s' > s A s' < 255 

P4 and pe: / > A /' < / A s' < s A s' > 



Fig. 2. The CFG obtained from contextuahzing the transition system of Example [2] 
(left) and the size-change abstractions of the transition relations (right) 

the following difficulties: The inner loop cannot be excluded in the analysis of 
the outer loop (e.g. by the standard technique called slicing) as it modifies the 
counter of the outer loop; this demonstrates the need for global reasoning in 
bound analysis. Further one needs to distinguish whether the inner loop has 
been skipped or executed at least one time as this determines whether j = 
or j > 0. This exemplifies why we need disjunctive invariants for inner loops. 
Moreover, the counter i may decrease, but this can only happen when i has 
been increased by at least 2 before. This presents a difficulty to an automatic 
analysis since the used abstract domains need to be precise enough to capture 
such reasoning. In particular, a naive application of the size-change abstraction 
is too imprecise, since it contains only inequalities. 

Our Algorithm [1] computes a transition system for the outer loop with header 
/i as follows: The algorithm is based on the idea of enumerating all paths from 
li back to li in order to derive a precise disjunctive transition system. However, 
this enumeration is not possible as there are infinitely many such paths because 
of the inner loop at I2 ■ Therefore Algorithm [T] recursively computes a transition 
system {i < nAi' — i + 1 Aj' — j + 1 An' — n} for the inner loop at I2, and then 
summarizes the inner loop disjunctively by size-change abstracting its transition 
system to {n — i>OAn' — i'<n — iAj< j'} (our analysis extracts the norms 
n—i,j from the program using heuristics, cf. Section[7]) and computing the reflex- 
ive transitive hull {n' — i' = n — iAj'=j,n — i>OAn'~i'<n — iAj< j'} 
in the abstract. (Note that we use sets of formulae to denote disjunctions of 
formulae.) Then Algorithm [1] enumerates all cycle-free paths from /i back to li. 
There are two such paths: tti = li — > I2 — > h and ^2 = h — > h — ^ h- Algo- 
rithm[T]inserts the reflexive transitive hull T of the inner loop on the paths tti , 112 
at the header of the inner loop I2 and contracts the transition relations. This 
results in the two transition relations {false, n — i~l>OAn' — i'<n — iA 
j' > 0} for TTi (one for each disjunct of the summary of the inner loop), and 
{n — i>OAn' — i' = n — i — lAj'= 0, false} for tt2. Note that for each path, 
false indicates that one transition relation was detected to be unsatisflable, e.g. 
n~i — l>OAri' — i'<n — i — lAj'>0A/<0in7r2. Algorithm [T] returns 
the satisflable two transitions as a transition system T for the outer loop. 

Our Algorithm [2] size-change abstracts T (resulting in {n — i > A n' — i' < 
n — iAj'>0,n~i>OAn' — i'<n — iAj' >— 0}) and computes the bound 



inax(ri, 0) from the abstraction. The difficult part in analyzing Example [T] is the 
transition system generation, while computing a bound from T is easy. 

Example 2: Bound Computation. Bound analysis is complicated when a 
loop contains a finite state machine that controls its dynamics. Example^ found 
during our experiments on the cBench benchmark [1 , presents such a loop. 

Example 2. II cBench/consiimer_lame/src/quantize-pvt.c 
int bin_search_StepSize2 (int r, int s) { 

static int c = 4; int n; int f = 0; int d = 0; 
do { 

n = nondet () ; 

if (c == 1 ) break; 

if (f) c /= 2; 

if (n > r) ■[ 

if (d == 1 M !f) {f = 1; c /= 2; } 
d = 2; s += c; 
if (s > 255) break; }■ 
else if (n < r) { 

if (d == 2 M !f) {f = 1; c /= 2; } 
d = 1 ; s -= c ; 
if (s < 0) break; } 
else break; }■ 
while (1); }■ 

The loop has three different phases: in its first iteration it assigns 1 or 2 to d, 
then either increases or decreases s until it sets / to true; then it divides c by 2 
until the loop is exited. Note that disjunctive reasoning is crucial to distinguish 
the phases! 

Our method first uses a standard invariant analysis (such as the octagon anal- 
ysis) to compute the invariant c > 1, which is valid throughout the execution of 
the loop. Then Algorithm [T] obtains a transition system from the loop by col- 
lecting all paths from loop header back to the loop header. Omitting transitions 
that belong to infeasible paths we obtain six transitions: 

pi=c>lA^/Ad/lAd' = 2As' = s + cAs'<255Ac' = cA/' = / 
P2 = c>lA^/Ad/2Ad' = lAs' = s-cAs'>0Ac' = cA/' = / 
P3 = c > 1 A ^/ A d = 1 A /' A c' = c/2 A d' = 2 A s' = s + c' A s' < 255 
P4 = c > 1 A ^/ A d = 2 A /' A c' = c/2 A d' = 1 A s' = s - c' A s' > 
P5 = c > 1 A / A c' = c/2 A d' = 2 A s' = s + c' A s' < 255 A /' = / 
P6 = c > 1 A / A c' = c/2 A d' = 1 A s' = s - c' A s' > A /' = / 

Our bound analysis reasons about this transition system automatically by 
applying the program transformation called contextualization^ which determines 
in which context transitions can be executed, and size-change abstracting the 
transitions. By our heuristics (cf. Section [7]) we consider s and the logarithm of 
c (which we abbreviate hy I) as program norms. 

Figure [5] shows the CFG obtained from contextualizing the transition system of 
Example [2] on the left. The CFG vertices carry the information which transition 
is executed next. The CFG edges are labeled by the transitions of the transition 



system, where presence of edges indicates that, e.g., I4 can be directly executed 
after Zi, and absence of an arc from Z4 to h means that this transition is infea- 
sible. The CFG shows that the transitions cannot interleave in arbitrary order; 
particularly useful are the strongly-connected components (SCCs) of the CFG. 
Our bound Algorithm [2] exploits the SCC decomposition. It computes bounds for 
every SCC separately using the size-change abstracted transitions (cf. Figure [5] 
on the right) and composes them to the overall bound max(255, s) + 3, which is 
precise. 

We point out how the above described approach enables automatic bound 
analysis by SCA. Note that the variables d and / do not appear in the abstracted 
transitions. It is sufficient for our analysis to work with the CFG obtained from 
contextualization because the loop behavior of Example [2J which is controlled 
by d and /, has been encoded into the CFG. This has the advantage that less 
variables have to be considered in the actual bound analysis. Further note that 
the CFG decomposition gives us compositionality in bound analysis. Our analysis 
is able to combine the bounds of the SCCs to an (fairly complicated) overall 
bound using the operators max and + by following the structure of the CFG. 

3 Program Model and Size-change Abstraction 

Sets and Relations. Let A he a set. The concatenation of two relations 
Bi, S2 e 2^^-^ is the relation Bio 82^ {(ei, 63) | 3e2.(ei, 62) e Bi A (e2, 63) G 
B2}- Id = {{e,e) \ e € A} is the identity relation over A. Let B £ 2^^^"^ be a rela- 
tion. We inductively define the k-fold exponentiation of B by S'"' = B^^^ oB and 
B^ — Id. B+ = y}f.-^iB^ resp. B* = lJ;j>o^'^ is the transitive- resp. reflexive 
transitive hull of B. We lift the concatenation operator o to sets of relations by 
defining C10C2 = {B10B2 \ Bi e Ci,B2 G C2} for sets of relations Ci,C2 C 2^^^. 
We set C" — {Id}; C^,C^ etc. are defined analogously. 

Program Model. We introduce a simple program model for sequential impera- 
tive programs without procedures. Our definition models explicitly the essential 
features of imperative programs, namely branching and looping. In Section [S] we 
will explain how to exploit the graph structure of programs in our analysis algo- 
rithm. We leave the extension to concurrent and recursive programs for future 
work. 

Definition 1 (Transition Relations / Invariants). Let S he a set of states. 
The set of transition relations F = 2^^^ is the set of relations over S. A 
transition set T <Z F is a finite set of transition relations. Let p £ F be a 
transition relation. F is a transition system for p, if p '^Y^jF . F is a transition 
invariant for p, if p* C [J F . 

Definition 2 (Program, Path, Trace, Termination). A program is a tuple 
P — (L, E), where L is a finite set of locations, and ECLxFxLisa finite 
set of transitions. We write h — > I2 to denote a transition (li,p,l2). 

A path of P is a sequence Iq — > li — > ■ ■ ■ with l^ —^ Z^+i G E for all i. 
Let TT — lo — > h — > I2 ■ ■ -Ik — > Ik+i be a finite path, it is cycle-free, if n does 



not visit a location twice except for the end location, i.e., li ^ Ij for all < i < 
j < k. The contraction of n is the transition relation rel(7r) = po o pi o ■ ■ ■ o p^. 
obtained from concatenating all transition relations along n. Given a location 
I, paths(P, /) is the set of all finite paths with .start and end location I. A path 
IT G paths(P, I) is simple, if all locations, except for the start and end location, 
are different from I . 

A trace of P is a sequence {Io,sq) — > {li,si) — > ■ ■ ■ .such that Iq — > li — > 
■ ■ ■ is a path of P, Si E S and (si, s^+i) G pi for all i. P is terminating, if there 
is no infinite trace of P. 

Note that a cycle-free path tt £ paths(P, /) is always simple. Further note 
that our definition of programs allows to model branching and looping precisely 
and naturally: imperative programs can usually be represented as CFGs whose 
edges are labeled with assign and assume statements. 

Definition 3 (Transition Relation of a Location). Let P ~ {L,E) be a 
program and I E L a location. The transition relation of / is the set P\i = 

Usimple 7repaths(P,0 rel(7rj. 

3.1 Order Constraints 

Let X be a set of variables. Given a variable x we denote by x' its primed version. 
We denote by X' the set {x' \ x e X} of the primed variables of X. We denote 
by > any element from {>,>}. 

Definition 4 (Order Constraint). An order constraint over X is an inequal- 
ity x t> y with x,y E X . 

Definition 5 (Valuation). The set of all valuations of X is the set Valx = 
X ^ Tj of all functions from X to the integers. Given a valuation a G Valx we 
define its primed valuation as the function a' G Valx' with cr'(x') ~ cr(x) for 
all X G X. Given two valuations ai G Valxi,cr2 £ Valxz with Xi fl X2 = 9 we 

(Ti(x) for X G Xi, 



define their union cri U ctt G Valx,iix^ by (cr-\ U a2)(x) — >, / \ ,. 
•' ^iu^2 y \ i- 'ijy J ' a2{x) for x E X2. 

Definition 6 (Semantics). We define a semantic relation ^ as follows: Let 
a G Valx be a valuation. Given an order constraint xi O X2 over X , a 1= xi [> X2 
holds, if a{xi) \> a{x2) holds in the structure of the integers (Z, >). Given a set 
O of order constraints over X , a \= O holds, if a \^ o holds for all E O. 

3.2 Size-change Abstraction (SCA) 

We are using integer- valued functions on the program states to measure progress 
of a program. Such functions are called norms in the literature. Norms provide us 
sizes of states that we can compare. We will use norms for abstracting programs. 

Definition 7 (Norm). A norm n G Z" — ;> Z is a function that maps the states 
to the integers. 



We fix a finite set of norms N for the rest of this subsection, and describe 
in Section [7] how to extract norms from programs automatically. Given a state 
s € S we define a valuation as G VuIn by setting (Ts(n) — n{s). 

We will now introduce SCA. Our terminology diverts from the seminal pa- 
pers on SCA |24I4) because we focus on a logical rather than a graph-theoretic 
representation. The set of norms N corresponds to the SCA "variables" in [2414] . 

Definition 8 (Monotonicity Constraint, Size-change Relation / Set, 

Concretization). The set of monotonicity constraints MCs is the set of all 
order constraints over NUN'. The set of size-change relations (SCRs) SCRs = 
2"^" IS the powerset of MCs. An SCR set S C SCRs is a set of SCRs. We 
use the concretization function 7 : SCRs -^ F to map an SCR T G SCRs to a 
transition relation 7(T) hy defining 7(T) — {(si,S2) € E x S \ Gg^ U ctI,, |= T] 
as the set of all pairs of states such that the evaluation of the norms on these 
states satisfy all the constraints ofT. We lift the concretization function to SCR 
sets by setting 7(5) = {-/{T) | T S 5} for an SCR set S. 

Note that the abstract domain of SCRs has only finitely many elements, 
namely 3^^!^" . Further note that an SCR set corresponds to a formula in DNF. 

Definition 9 (Abstraction Function). The abstraction function a : F ^ 
SCRs takes a transition relation p (z F and returns the greatest SCR containing 
it, namely a{p) = {c G MCs \ p C 7(c)}. We lift the abstraction function to 
transition sets by setting a{T) = {a{p) \ p S T} for a transition set T. 

Implementation of the abstraction, a can be implemented by an SMT solver 
under the assumption that the norms are provided as expressions and that the 
transition relation is given as a formula such that the order constraints between 
these expressions and the formula fall into a logic that the SMT solver can decide. 
Using abstraction and concretization we can define concatenation of SCRs: 

Definition 10 (Concatenation of SCRs). Civen two SCRs Ti,T2 G SCRs, 
we define Ti o T2 to be the SCR a{'^{Ti) o ^{T2)). We lift the concatenation 
operator o to SCR sets by defining Si o S2 = {Ti o T2 \ Ti d Si,T2 (z S2} for 
SCR sets 5i,52 e 2^"^^^ 5" = {Id},S'',S+,S* etc. are defined m the natural 
way. 

Concatenation of SCRs is conservative by definition, i.e., 7(Ti 0T2) D 7(Ti) o 
7(r2) and associative because of the transitivity of order relations. Concatena- 
tion of SCRs can be effectively computed by a modified all-pairs-shortest-path 
algorithm (taking order relations as weights). Because the number of SCRs is 
finite, the transitive hull is computable. 

The following theorem can be directly shown from the definitions. We will 
use it to summarize the transitive hull of loops disjunctively, cf. Section [5] 

Theorem 1 (Soundness). Let p be a transition relation and T a transition 
system for p. Then 7(a(7~)*) is a transition invariant for p. 



4 Main Steps of our Analysis 

Let P = {L,E) he a. program and I ^ L he a location for which we want to 
compute a bound. Our analysis consists of four main steps: 



1. Extract a set of norms N using heuristics (Section [71) 

2. Compute global invariants by standard abstract domains 

3. Compute T = TransSys(P, /) (Section [S|) 

4. Compute b = Bound(Contextualize(T)) (SectionlHl) 



In Step 1 we extract a set of norms N using the heuristics described in Section [71 
The abstraction function a that we use in Steps 3 and 4 is parameterized by the 
set of norms N. In Step 2 we compute global invariants by standard abstract 
domains such as interval, octagon or polyhedra. As this step is standard, we 
do not discuss it in this paper. In Step 3 we compute a transition system 7" = 
TransSys(P, I) for P\i by Algorithm [l] In Step 4 we compute a bound b = 
Bound(Contextualize(T)) for the number of visits to /, where we first use the 
program transformation contextualization of Definition [11] to transform T into 
a program from which we then compute a bound b by Algorithm [21 



Procedure: TransSys(P, Z) 

Input: a program P = (L, E), a location I € L 

Output: a transition system for P\i 

Global: array summary for storing transition invariants 

foreach {loop , header) £ NestedLoops{P,l) do 
T :— TransSys (/oop, header); 
hull ■- 7(a(T)*); 
summary[/iearfer] := hull; 

foreach cycle-free path it — I — ^ h — !-> I2 ■ ■ ■ h — ^ I £ paths (P, I) do 
Ttt :~ {po} ° ITE(lsHeader(?i),summary[Zi], {Id}) o {pi}o 

ITE(lsHeader(/2), summary[Z2], {Id}) o {p2} o ■ • ■ o 
ITE(lsHeader(;A;), summaryfifc], {Id}) o {pk}; 

return Ucyclc-frco path 7repaths(P,0 '^1 



Algorithm 1: TransSys(P, Z) computes a transition system for P\i 

5 Computing Transition Systems 

In this section we describe our algorithm for computing transition systems. We 
first present the actual algorithm, and then discuss specific characteristics. The 
function TransSys in Algorithm [H takes as input a program P = {L,E) and a 
location I E L and computes a transition system for P\i, cf. Theorem [51 below. 
The key ideas of Algorithm [1] are (1) to summarize inner loops disjunctively by 
transition invariants computed with SCA, and (2) to enumerate all cycle-free 
paths for pathwise analysis. Note that for loop summarization the algorithm is 
recursively invoked. We give an example for the application of Algorithm [H to 
Example [I] in Section IB. II of the appendix. 



Loop Summarization. In the first f oreach-loop, Algorithm [T] iterates over 
ah nested loops of P w.r.t. /. A loop loop of P is a nested loop w.r.t. l^ if it 
is strongly connected to / but does not contain /, and if there is no loop with 
the same properties that strictly contains loop. Let loop be a nested loop of P 
w.r.t. I and let header be its header. (We assume that the program is reducible, 
see discussion below.) TransSys calls itself recursively to compute a transition 
system T for loop\header- 

In statement hull :— j{a{T)*), oi{T) size-change abstracts T to an SCR set, 
a(T)* computes the transitive hull of this SCR set, and 7(a(T)*) concretizes 
the abstract transitive hull to a transition set, which is then assigned to hull. 
Algorithm [1] stores hull in the array summary, which is a transition invariant for 
loop\header by the sounducss of SCA as stated in Theorem [Ij 

After the first f oreach-loop. Algorithm [T] has summarized all inner loops, 
not only the nested loops, because the recursive calls reaches all nesting levels. 
For each inner loop loop with header header a transition invariant for loop\header 
has been stored at summary [/leader]. Summaries of inner loops are visible to all 
outer loops, because the array summary is a global variable. 

Pathwise Analysis. In the second f oreach-loop. Algorithm [T] iterates over all 
cycle-free paths of P with start and end location /. Let vr — I — > li — > ■ ■ ■ Ik — > I 
be such a cycle-free path. The expression ITE(lsHeader(?i),summary[Zi], {/d}) 
evaluates to summary[/i] for each location k, if li is the header of an inner loop 
loopi, and evaluates to the transition set {Id}, which contains only the identity 
relation over the program states, else. Algorithm [T] computes the set 7^ — {pq}o 
ITE(IsHeader(;i), summary[/i], {W})o{pi}oITE(lsHeader(/2), summary[/2], {Id}) 
°{p2}°- ■ •oITE(IsHeader(Zfc),summary[/A;], {Id})o{pk}, which is an overapprox- 
imation of the contraction of tt, where the summaries of the inner loops loop^ 
are inserted at their headers h . The transition set 7^ overapproximates all paths 
starting and ending in I that iterate arbitrarily often through inner loops along 
TT, because for every loop loop^ the transition set summary[/i] overapproximates 
all paths starting and ending in l^ that iterate arbitrarily often through loop^ (as 
summary[Zi] is a transition invariant for loop^li^). Algorithm [T] returns the union 
Ucycic-froo path ^epaths(pj) T'^ ^i aU thosc transition sets %. 

Theorem 2. Algorithm]^ computes a transition system TransSys(P, /) for P\i. 

Proof (Sketch). Let tt' G paths(P, /) be a simple path. We obtain a cycle-free 
path vr e paths(P, I) from tt' by deleting all iterations through inner loops of 
(P, /) from tt'. The transition set 7^ overapproximates all paths starting and 
ending in I that iterate arbitrarily often through inner loops of (P, /) along tt. 
As tt' iterates through inner loops of (P, /) along tt we have rel(7r) C [J 7^. 

Implementation. We use conjunctions of formulae to represent individual tran- 
sitions. This allows us to implement the concatenation of transition relations by 
conjoining their formulae and introducing existential quantifiers for the interme- 
diate variables. We detect empty transition relations by asking an SMT solver 
whether their corresponding formulae are satisfiable. We use these emptiness 
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checks at several points during the analysis to reduce the number of transition 
relations. 

Algorithm [T] may exponentially blow up in size because of the enumeration of 
all cycle-free paths and the computation of transitive hulls of inner loops. We 
observed in our experiments that by first extracting norms from the program 
under scrutiny and then slicing the program w.r.t. these norms before continuing 
with the analysis normally results into programs small enough for making our 
analysis feasible. 

Irreducible programs. Algorithm [T] refers to loop headers, and thus implicitly 
assumes that loops are reducible. (Recall that in a reducible program each SCO 
has a unique entry point called the header.) We have formulated Algorithm [T] 
in this way to make clear how it exploits the looping structure of imperative 
programs. However, Algorithm [T] can be easily extended to irreducible loops by 
a case distinction on the (potentially multiple) entry points of SCCs. 

5.1 Disjunctiveness in Algorithm 1 

Disjunctiveness is crucial for bound analysis. We have given two examples for 
this fact in Section [5] and refer the reader for further examples to |17I5I27) . We 
emphasize that our analysis can handle all examples of these publications, and 
give a detailed comparison with them in Section [51 Our analysis is disjunctive 
in two ways: 

(1) We summarize inner loops disjunctively. Given a transition system T 
for some inner loop loop, we want to summarize loop by a transition invariant. 
The most precise transition invariant T* = {Id} U TU T^ U T'^ U ■ • • introduces 
infinitely many disjunctions and is not computable in general. In contrast to this 
the abstract transitive huh a{T)* = a{{Id}) U a{T) U a{T)^ U a(T)^ U • • • has 
only finitely many disjunctions and is effectively computable. This allows us to 
overapproximate the infinite disjunction T* by the finite disjunction 7(a(7")*). 

We underline that the need for disjunctive summaries of inner loops in the 
bound analysis is a major motivation for SCA, as it allows us to compute dis- 
junctive transitive hulls naturally, cf. definition and discussion in Section [3.21 

(2) We summarize local transition relations disjunctively. Given a program 
P = (L, E) and location I € L, we want to compute a transition system for P\i. 
For a cycle- free path tt G paths (P, I) the transition set T^ computed in Algo- 
rithm [T] overapproximates all simple paths in paths (P, I) that iterate through 
inner loops along tt. As ah % are sets, the set union Ucycic-frec path ^epaths(PJ) T'^ 
is a disjunctive summarization of all 7^ that keeps the information from different 
paths separated. This is important for our analysis which relies on the observa- 
tion that monotonic changes of norms can be observed along single paths from 
loop header back to the header. 

5.2 Pathwise Analysis in Algorithm 1 

It is well-known that analyzing large program parts jointly improves the pre- 
cision of static analyses, e.g. [7]. Owing to the progress in SMT solvers this 
idea has recently seen renewed interested by static analyses such as abstract 
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interpretation [21] and software model checking 6 , which use SMT solvers for 
abstracting large blocks of straight-line code jointly to increase the precision of 
the analysis. 

We call the analyses of J26I6I and classical SCA [2414] blockwise, because they 
do joint abstraction only for loop-free program parts. In contrast, our pathwise 
analysis abstracts complete paths at once: Algorithm [T] enumerates all cycle- 
free paths from loop header to loop header and inserts summaries for inner 
loops on these paths. These paths are then abstracted jointly in a subsequent 
loop summarization or bound computation. In this way our pathwise analysis 
is strictly more precise than blockwise analysis. We illustrate this difference in 
precision on Example [1] in Section |X] of the appendix. 

Parsers are a natural class of programs which illustrate the need for pathwise 
analysis. In our experiments we observed that many parsers increase an index 
while scanning the input stream and use lookahead to detect which token comes 
next. As in ExamplelU lookaheads may temporarily decrease the index. Pathwise 
abstraction is crucial to reason about the program progress with SCA. 

6 Bound Computation 

Our bound computation consists of two steps. Step 1 is the program transfor- 
mation contextualization which transforms a transition system into a program. 
Step 2 is the bound algorithm which computes bounds from programs. 

6.1 Contextualization 

Contextualization is a program transformation by Manolios and Vroon [25] , who 
report on an impressive precision of their SCA-based termination analysis of 
functional programs. Note that we do not use their terminology (e.g. "calling 
context graphs") in this paper. Our contribution lies in adopting contextualiza- 
tion to imperative programs and in recognizing its relevance for bound analysis. 

Definition 11 (Contextualization). Let T be a transition set. The contex- 
tualization of T is the program P = {T,E), where E — {p ^ p' \ p, p' G 
T and p o p' ^ 0}. 

The contextualization of a transition system is a program in which every 
location determines which transition is executed next; the program has an edge 
between two locations only if the transitions of the locations can be executed 
one after another. 

Contextualization restricts the order in which the transitions of the transition 
system can be executed. Thus, contextualization encodes information that could 
otherwise be deduced from the pre- and postconditions of transitions directly 
into the CFG. Since pathwise analysis contracts whole loop paths into single 
transitions, contextualization is particularly important after pathwise analysis: 
our subsequent bound algorithm does not need to compute the pre- and post- 
condition of the contracted loop paths but only needs to exploit the structure 
of the CFGs for determining in which order the loop paths can be executed. 
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Example 3. 

void main (int x, int b){ „ „^^ , , , ,/ It lo 

while (0 < X < 255) ■[ „ „^^ , , , ,/T T 

if (b) X = X + 1; Pi P2 

else X = X - 1; } } 

Fig. 3. Example |3] with its transition relations and CFG obtained from contextualiza- 
tion. 

We illustrate contextualization on Example [3l The program has two paths, 
and gives rise to the transition system T = {pi, ^2}- Keeping track of the boolean 
variable b is important for bound analysis: Without reference to b not even the 
termination of main can be proven. In Figure |3] (right) we show the contextu- 
alization of T- Note that contextualization has encoded information about the 
variable b into the CFG in such a way that we do not need to keep track of 
the variable b anymore. Thus, contextualization releases us from taking the pre- 
condition b resp. -lb and the postcondition 6' resp. -ib' into account for bound 
analysis. 

At the beginning we gave an application of contextualization on the sophisti- 
cated loop in Example [21 where contextualization uncovers the control structure 
of the finite state machine encoded into the loop. An application of contextu- 
alization to the flagship example of a recent publication [14j can be found in 
Section IB. 31 of the appendix. 

Note that in our definition of contextualization we only consider the consis- 
tency of two consecutive transitions. It would also have been possible to consider 
three or more consecutive transitions. This would result in increased precision. 
However, we found two transitions to be sufficient in practice. 
Implementation. We implement contextualization by encoding the concatenation 
Pi ° P2 of two transitions pi , p2 into a logical formula and asking an SMT solver 
whether this formula is satisfiable. Note that such a check is very simple to 
implement in comparison to the explicit computation of pre- and postconditions. 



Procedure: Bound(P) 
Input: a program P — (L, E) 

Output: a bound b on the length of the traces of P 
SCCs ■- computeSCCs(P); b ■- 0; 
while SCCs 7^ do 
SCCsOnLevel := 0; 
forall the SCC G SCCs s.t. no SCC G SCCs can reach SCC do 

r ■- BndSCC{S CC); 

Let r < bscc be a global invariant; 

SCCsOnLevel ■- SCCsOnLevel U {SCC}; 

b :— b + maxsccesccsOriLevei bscc, 
SCCs ■- SCCs \ SCCsOnLevel; 

return b; 



Algorithm 2: Bound composes the bounds of the SCCs to an overall bound 
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6.2 Bound Algorithm 

Our bound algorithm reduces the task of bound computation to the computation 
of local bounds and the composition of these local bounds to an overall bound. 
To this end, we exploit the structure of the CFGs obtained from contextualiza- 
tion: We partition the CFG of programs into its strongly connected components 
(SCCs) (SCCs are maximal strongly connected subgraphs). For each SCC, we 
compute a bound by Algorithm [31 and then compose these bounds to an overall 
bound by Algorithm [51 

Algorithm [51 arranges the SCCs of the CFG into levels: The first level consists 
of the SCCs that do not have incoming edges, the second level consists of the 
SCCs that can be reached from the first level, etc. For each level. Algorithm [51 
calls Algorithm [31 to compute bounds for the SCCs of this level. Let SCC be 
an SCC of some level and let r := BndSCC(5'CC) be the bound returned by 
Algorithm [31 on SCC. r is a (local) bound of SCC that may contain variables of 
P that are changed during the execution of P. Algorithm [2l uses global invariants 
(e.g. interval, octagon or polyhedra) in order to obtain a bound bscc on r in 
terms of the initial values of P. The SCCs of one level are collected in the set 
SCCsOnLevel. For each level, Algorithm [51 composes the bounds bscc of all 
SCCs SCC S SCCsOnLevel to a maximum expression. Algorithm [51 sums up 
the bounds of all levels for obtaining an overall bound. 



Procedure: BndSCC(P) 

Input: strongly-connected program P — {L,E) 
Output: a bound b on the length of the traces of P 
it E = then return 1; 

Nonlncr :— 0; DecrBnded :— 0; BndedEdgs :— 0; 
foreach n £ N do 

if \f li -^ h G E n>n' e a{p) then 
I Nonlncr :— Nonlncr U {n}; 

foreach h ^ h € E , n £ Nonlncr do 
if 71 > 0, n > n' G a{p) then 

DecrBnded :— DecrBnded U {max(rz, 0)}; 

BndedEdgs :— BndedEdgs U {h — > h}; 

if BndedEdgs = then fail with "there is no bound for P" ; 
b = Bound((L, E \ BndedEdgs)); 
return ((^ DecrBnded) + 1) ■ b; 



Algorithm 3: BndSCC computes a bound for a single SCC 



Algorithm[31computes the bound of a strongly-connected program P. First Alg.[31 
checks if P = (L, E) is trivial, i.e., E' = 0, and returns 1, if this is the case. Next 
Alg. [31 collects all norms in the set Nonlncr that either decrease or stay equal 
on all transitions. Subsequently Alg. [31 checks for every norm n G Nonlncr and 
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transition Zi — > ^2 G E, if n is bounded from below by zero and decreases on 
p. If this is the case, Alg. [3] adds max(n, 0) to the set DecrBnded and /i — ?► I2 
to BndedEdgs. Note that the transitions included in the set BndedEdgs can 
only be executed as long as their associated norms are greater than zero. Every 
transition in BndedEdgs decreases an expression in DecrBnded when it is taken. 
As the expressions in DecrBnded are never increased, the sum of all expressions 
in DecrBnded is a bound on how often the transitions in BndedEdgs can be 
taken. If DecrBnded is empty, Alg. [2] fails, because the absence of infinite cycles 
could not be proven. Otherwise we recursively call Alg. [2]on {L, E \ BndedEdgs) 
for a bound b on this subgraph. The subgraph can at most be entered as often 
as the transitions in BndedEdgs can be taken plus one (when it is entered first). 
Thus, [Q^ DecrBnded) + 1) • & is an upper bound for P. 

Role of SCA in our Bound Analysis. Our bound analysis uses the size-change 
abstractions of transitions to determine how a norm n changes according to 
n > n', n > n', n > in Alg. [3l We plan to incorporate inequalities between 
different norms (like n > to') in future work to make our analysis more precise. 

Termination analysis. If in Algorithm [2] the global invariant analysis can- 
not infer an upper bound on some local bound, the algorithm fails to compute 
a bound, but we can still compute a lexicographic ranking function, which is 
sufficient to prove termination. The respective adjustment of our algorithm is 
straightforward . 

We give an example for the application of Algorithm [2] to Example [2] and to 
the fiagship example of [H] in Section IB. 21 and IB. 31 of the appendix. 



7 Heuristics for Extracting Norms 



In this section we describe our heuristic for extracting norms from programs. 
Let P = {L, E) be a program and / S L be a location. We compute all cycle- 
free paths from I back to /. For all arithmetic conditions x > y appearing in 
some of these paths we take x — y as a norm ii x — y decreases on this path; 
this can be checked by an SMT solver. Note that in such a case a; — y is a 
local ranking function for this program path. Similar patterns and checks can 
be implemented for iterations over bitvectors and data structures. For a more 
detailed discussion on how to extract the local ranking functions of a program 
path we refer the reader to [T7] . We also compute norms for inner loops on which 
already extracted norms are control dependent and add them to the set of norms 
until a fixed point is reached (similar to program slicing). We also include the 
sum and the difference of two norms, if an inner loop affects two norms at the 
same time. Further, we include the rounded logarithm of a norm, if the norm is 
multiplied by a constant on some program path. In general any integer-valued 
expression can be used as a program norm, if considered useful by some heuristic. 
Clearly the analysis gets more precise the more norms are taken into account, 
but also more costly. 
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8 Detailed Comparison with Related Work 

In this section we give a detailed comparison with earher termination / bound 
analyses. We show that our bound analysis captures the essential ideas of these 
approaches in a simpler framework. 

8.1 Comparison of transition predicate abstraction (TPA) and SCA 
by Heizmann et al. 

In [TS] Heizmann et al. state that SCA is an instance of the more general tech- 
nique of TPA [35]. In particular they formally show that when a tail- recursive 
functional program F is translated into an imperative program P, then an SCA- 
based termination analysis on F can be mimicked by a TPA-based termination 
analysis on P whose predicates are order relations. 
However, [IB] does not 

— deal with general imperative programs, but with programs obtained as trans- 
lations from functional programs. Since functional programs can be size- 
change abstracted more easily (as explained in our comparison with SCA in 
Section [8.71) . this problem setting is much simpler. 

— show how to obtain transition predicates for the independent analysis of im- 
perative programs by TPA. It only shows that (as a result of the translation) 
TPA is more general than SCA. 

— deal with a concrete programming language, and does not deal with practical 
issues, or concrete analysis tools. 

— make use of the recent progress of the SCA [J], where SCA is extended from 
natural numbers to integers, and deals only with natural numbers. 

Our paper fills in all these left open gaps. Moreover, our paper clearly goes 
beyond the issues discussed in [TH] by unifying much of the previous work on 
termination and bound analysis, e.g., see our comparison to Terminator in 
Section IH21 SPEED in Section [Ml etc. 

While we find it quite intuitive that SCA as well as our more general approach 
are instances of TPA, we are concerned with a different issue in this paper. We 
argue that precisely because of its limited expressiveness SCA is suitable for 
bound analysis: abstracted programs are simple enough that we can compute 
bounds for them. We have shown that imperative programs are amenable to 
bound analysis by SCA using appropriate program transformations, whereas [18] 
is not concerned with practical issues. 

8.2 Termination Analysis by Terminator 

The Terminator tool j8j is an automatic termination analyzer of imperative 
programs, which uses TPA [28] for constructing a Ramsey based termination 
argument [?7] . 

Our approach and Terminator share the idea of extracting progress mea- 
sures locally (norms resp. local ranking functions) and composing them for a 
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global analysis (bound resp. termination proof). Because of its non-constructive 
nature, the Ramsey based termination argument underlying Terminator can- 
not be used for extracting a global ranking function out of the termination proof. 
In contrast, we use SCA for the first time to compose global bounds from bounds 
on norms. Earlier work on SCA [4 already has shown how to compute global 
ranking functions from norms. 

In order to apply the Ramsey based termination argument, Terminator 
needs to analyze the transitive hull of programs. This analysis is the most ex- 
pensive step in the analysis of Terminator and has to be repeated many times. 
In contrast, we abstract programs first and then analyze only the transitive hull 
of the abstract program. This has huge benefits for the speed of the analysis 
(further discussed in Section [O]) . 

TPA can lose precision in every step of the analysis. In contrast, our path- 
wise analysis follows the structure of programs and loses precision only at well- 
defined places. Our analysis handles paths precisely by conjoining the formulae 
of the statements along the path (using all theories that can be handled by SMT 
solvers) and loses precision only when summarizing loops. However, we handle 
loops precisely w.r.t. their monotonic behavior of norms: SCA is closed under 
taking transitive hulls because of the built-in disjunctiveness of SCA and the 
transitivity of the order relations, transitive hulls can be computed effectively. 

Terminator is built on top of a full-fledged software model checker, which 
implements a complicated CEGAR loop in order to extract predicates and local 
ranking functions from programs. In contrast, our simple and lightweight static 
analysis relies only on an SMT solver, our set of transition predicates is fixed in 
advance (the monotonicity predicates of SCA) and our set of norms is extracted 
from the program at the beginning of the analysis. It is an interesting direction 
of future work to investigate how to combine these approaches, e.g., by using 
coarse abstractions for filtering the "easy cases" and refining the precision for 
handling the "hard cases" . 

8.3 Termination Analysis by Loopfrog 

|22l30j observe that TPA-based approaches such as Terminator 8, spend al- 
most all time in analyzing the transitive hulls of programs, i.e., the expensive 
step is proving P|+ C |J 7" for transition sets T. Therefore |22I30| take a different 
approach and give algorithms that search for a transitive transition system T 
for P];. A transition set T is transitive, if IJ 7~^ C [J 7". A transitive transition 
system T for P\i already implies P|^ C |J 7"^ C |J 7" by the transitivity of T. 
This has the advantage that the expensive direct proof of P\l C [J 7" is avoided. 

The first version of Loopfrog [22] implements an algorithm that constructs 
such transitive transition systems iteratively. In every step LoOPFROG adds tran- 
sition relations to a candidate transition set T. We argue that the effectiveness 
of such an iterative algorithm is limited, and that what the authors of [H] really 
want is SCA! 

Note that a transitive transition system T for P\i that is precise enough to 
prove the termination of P is an over approximation of P that still terminates. 
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Let us consider an example transition set T = {pi, P2} with pi~x>OAx>x' 
and p2 = y>0Ay>y'.T does not terminate because pi can increase the value 
of y arbitrarily and p2 can increase the value of x arbitrarily. Let us assume 
that the analyzed program P nevertheless terminates because the variable x can 
only be decreased when y stays constant. Let us further assume that Loopfrog 
has added pi to T in the first step and p2 in the second step of its iteration. 
Loopfrog could have added the information about x in the first step by setting 
Pi=x>OAx>x'Ay — y', but not in the second step. Note that once the 
candidate transition set T does not terminate, it cannot be repaired by adding 
transition relations. Note further that in later steps the loss of information of 
earlier steps cannot be repaired as we have seen on the above example. Thus, we 
conclude that a candidate transition set T has to be constructed in one single 
step. This is exactly what we do in our analysis. We first compute transition 
system for programs, and then size-change abstract the transition relations for 
our bound analysis. Alternatively, these abstracted transition relations could be 
analyzed for termination by a transitive hull computation using the termination 
criterion of SCA |3]. This transitive hull then provides exactly the transitive 
transition system T for P|;. From this we conclude that what the authors of [22] 
really want is SCA! 

The second version of Loopfrog [30] uses relational loop summarization (see 
also the next subsection). For this summarization '30' uses template invariants. 
Only one of these templates contains disjunction (two disjuncts). [30] states that 
these templates are inspired by the more general size-change abstract domain. 
We show in this paper how to employ the full SCA domain by using pathwise 
analysis for exploiting the looping structure of imperative programs. This allows 
us to use the full disjunctive power of SCA. [30 is only concerned with termina- 
tion analysis, whereas we show how to use SCA for the more difficult problem 
of bound analysis. 

8.4 Loop Summarization 

Loop summarization as in Algorithm [Tj is being recognized as important tool in 
program analysis, for example [211 summarizes loops by overapproximations of 
the reachable states for automatic proofs of safety properties. Relational summa- 
rizations of loops have for the first time been used in the bound analysis of [17] . 
The termination analysis fSOl, which is an extension of [21], also uses relational 
summaries of loops. 

Loop summarization is closely related to procedure summarization, e.g. [16] . 

8.5 Disjunctive Abstract Domains 

The papers |17|5j on bound and termination analysis use abstract interpreta- 
tion for computing disjunctive transition invariants. Both papers suggest lifting 
a conjunctive abstract domain D to the powerset domain 2^, and refer to the 
standard octagon / polyhedra domains as instantiations of D in their implemen- 
tation sections. 
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However, lifting the octagon / polyhedra domain to the powerset domain is 
difficuh because it requires an adequate hfting of the join operator: Set union 
is the precise join operator of both powerset lattices, but every set union may 
increase the number of the base elements of the powerset elements. Note that 
both powerset lattices have infinite width. Thus using set union as join operator 
does not guarantee the termination of the analysis. A standard way of ensuring 
the finiteness of the analysis is by limiting the number of base elements of a 
powerset element, such that every time the number of base elements of a powerset 
element is over the limit some base elements are merged. 

[17j states an algorithm for lifting the join operator to the powerset domain 
based on an assumption resembling convex theories that uses the same syn- 
tactic merging function in every step of the fixed point computation. However, 
|17] proposes to choose the merging function heuristically or to try all merging 
functions for a small number of disjuncts and take the best result. [5] remains 
vague: "For our present empirical evaluation we use an extraction method after 
the fixed-point analysis has been performed in order to find disjunctive invari- 
ance/variance assertions." . 

In contrast, SCA is a finite powerset domain that naturally handles disjunc- 
tion: SCA has finite width, therefore we never have to merge abstract elements 
and can handle disjunction precisely. This releases us from relying on compli- 
cated merging algorithms as 'IT-S'. SCA has finite height, therefore we do not 
need widening to compute fixed points (e.g. transitive hulls). This releases us 
from lifting the widening operator of conjunctive domains (e.g. octagon, poly- 
hedra) to powerset domains. 

8.6 Bound Analysis by the SPEED project 

In earlier work [T7] we have stated proof rules for computing global bounds 
from local bounds of transitions. Ad hoc proof rules as in [17] often give rise 
to efficient analyses, but do not establish a general theory. This is unsatisfying 
because such a theory is crucial for investigating the completeness of the analysis 
and the applicability to related problems or other programming paradigms. In 
this paper we have identified SCA as a suitable abstraction for bound analysis. 
SCA provides the theory that we have been looking for, because all the proof 
rules of |17| are instantiations of our more general bound algorithm. 

In |17| we stated a so-called enabledness check that detects non-interference 
between transitions, which can be used in the composition of the global bound. 
Unfortunately, this check is flawed when more than two transitions are consid- 
ered. Our program transformation contextualization can soundly detect non- 
interference when an arbitrary number of transitions is considered. 

jT4] proposes to use program transformation before performing bound anal- 
ysis. The program transformation stated in |14j is parameterized by an abstract 
domain, which is used simultaneously with the actual transformation algorithm 
to detect the infeasibility of certain paths. However, [Tl] is vague about what ab- 
stract domains should be used, and the actual transformation algorithm is quite 
involved. In contrast, we propose two simple program transformations that are 
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easy to implement. Our program transformations only rely on SMT solver calls 
and do not require additional abstract domains. 

8.7 Size-change Abstraction 

Despite its success in functional/declarative languages, e.g. [25], [20], SCA |24I4) 
has not yet been applied to imperative programs. We describe the two main ob- 
stacles in the application of SCA to imperative programs and how we solve them: 
(1) In functional / declarative languages, algorithms typically operate on alge- 
braic data structures where constructs and destructs happen in single steps. Due 
to this succinctness, SCA achieves sufficient precision on small program blocks. 
In imperative programs loops can have many intermediate stages and oftentimes 
only the program state at the loop header can be considered as "clean" . There- 
fore the abstraction of small program blocks to size-change relations loses too 
much precision. (This issue is well-known in the field of invariant computation.) 
We solve this issue by our pathwise analysis, which has the effect that large 
pieces of code that lie between the "clean" program locations are abstracted 
jointly. (2) The intended use of the SCA variables is as local progress measures 
of the program. In functional/declarative languages there is a natural set of such 
local progress measures such as the size of a data type, the height of a tree, the 
length of a list, or any arithmetic expression built up from those. In imperative 
programs, it is less clear what the shape of this local progress measures is and 
how they can be automatically extracted from programs. We give a solution to 
this problem by extracting norms from the conditions of complete loop paths 
(as described in our heuristics). 

8.8 Other Approaches 

A series of works describes a type-based potential-method of amortized analysis 
for the estimation of resource usage in first-order functional programs, which re- 
duces the problem to linear constraint solving. Recent enhancement includes the 
extension to multivariate polynomial bounds [2] and higher-order programs |19j . 
The embedded and real-time systems community has taken considerable ef- 
fort on worst case execution time (WCET) estimation ^31,. WCET presents an 
orthogonal line of research, which for establishing loop bounds either requires 
user annotations or employs simple techniques based on pattern matching and 
numerical analysis. We report on a WCET benchmark in our experiments. 

9 Experiments 

Our tool LOOPUS applies the methods of this paper to obtain upper bounds on 
loop iterations. The tool employs the LLVM compiler framework and performs 
its analysis on the LLVM intermediate representation [33]. We are using ideal 
integers in our analysis instead of exact machine representation (bitvectors). 
Our analysis operates on the SSA variables generated by the mem2reg pass and 
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handles memory references using optimistic assumptions. For logical reasoning 
we use the yices SMT solver [5]. Our experiments were performed on an Intel 
Xeon CPU (4 cores with 2.33 GHz) with 16 GB Ram. 

The Malardalen benchmark is used in the area of worst case execution time 
analysis for the comparison and evaluation of methods and tools. It contains 7497 
lines of code and 262 loops. In less than 35 seconds total time, we computed a 
bound for 93% of the loops. On the loops with more than one path (in the 
following called non-trivial loops) we had a success ratio of 72% (42 of 58 loops). 
The failure cases had the following reasons: (1) unimplemented modeling of 
memory updates [2 loops] (2) arithmetic instructions that cannot be handled by 
yices [4 loops] (3) insufficient invariant analysis [4 loops] (4) quantified invariants 
on array contents needed [6 loops in 2 programs]. 

The cBench benchmark was collected for research on program and compiler 
optimization. After removing code-duplicates it contains 1027 C source code 
files, 211.892 lines of code and a total number of 4302 loops. For 4090 loops our 
tool answered within a 1000 seconds timeout (3923 loops in less than 4 seconds). 
On 71 loops our tool exceeded the 1000 seconds timeout and 141 loops could 
not be analyzed because our current tool does not handle irreducible CFGs. 

Our tool computed a bound for 75% of the 4090 analyzed loops in the cBench 
benchmark. On the non-trivial loops bound computation was successful in 65% 
of the cases (1181 of 1902 loops). For the class of inner loops (e.g. program 
location I2 in Example [J) we were able to compute a bound for 65% (830 of 
1345) of the loops. This class of loops is especially interesting for evaluating the 
precision of the automatically computed bounds in the presence of outer loops. 
A manual sample of around 100 loops in this class showed that the bounds by 
our tool were precise. 

We evaluated our transitive hull algorithm on the class of loops for which 
an inner loop had to be summarized in order to compute an iteration bound. 
The bound computation was successful in 56% of these cases (578 of 1102). The 
relatively low success ratio of 56% is caused by limits of our implementation of 
the transitive hull algorithm that currently does not support invariants involving 
values of memory locations. 

In 992 of the total 1017 failure cases we failed to compute a bound because we 
could not find a local ranking function that proves the termination of a single 
transition. Recall that such local ranking functions are used as norms in our 
bound analysis. A manual analysis revealed that the reasons for failure were: (1) 
missing implementation features like pointer calculations and memory updates 
(2) insufficient invariant analysis (3) some loops were not meant to terminate, 
e.g. input loops (4) complex invariants like quantified invariants on the content of 
arrays needed. None of these reasons reveals a general limitation of our method. 
All but reason (4) can be solved by systematic engineering work. In the 25 
remaining cases our tool computed a bound for each transition but was not able 
to compose an overall bound. 

Acknowledgement. We would like to thank the anonymous reviewers for 
their insightful comments. 
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A Comparison between Blockwise and Pathwise SCA 
Analysis 

Classical papers on termination analysis with SCA |24I3| do not discuss how 
one can obtain abstract programs. However, these papers assume that abstract 
programs are given as CFGs whose edges are labeled by SCRs. Therefore it 
is fair to say that classical SCA uses blockwise analysis. We sketch how this 
abstraction strategy differs from our approach: Classical SCA abstracts program 
in one step, and then analyzes the abstracted programs by a single transitive hull 
computation. In contrast, our pathwise analysis abstracts programs in multiple 
steps and computes transitive hulls at multiple times during the analysis. Our 
approach is a generalization of classical SCA and strictly more precise. 

We illustrate the difference between our pathwise analysis and classical SCA 
in the following. Let P be the program in Example [T] As described in Section lB.il 
we obtain the transition system TransSys(P, li) — {n — i — 1 > A n' — i' < 
n — iAj' > 0,n — i > OAn' — i' = n — i — l Aj' — 0} for P\i-^ by pathwise analysis. 
Note that TransSys(P, /i) establishes that the variable i increases at every loop 
iteration and that i < n is an invariant at li. TrajisSys(i-', /i) is precise enough 
so that our Algorithm [2] can further size-change abstract it and compute a bound 
from the abstraction. 

The blockwise analysis in classical SCA begins with abstracting P. Because 
of the inner loop at location I2 of program P, each transition pi, P2, Ps, Pa consti- 
tutes a program block and needs to be abstracted separately. We get the SCRs 
a{pi) =n-i > OAn' -i' < n-iAj' > 0,a{p2) =n-i > OAn' -i' <n-iAj < 
j' , ck(p3) = j > OAn' — i' > n^i, a(p4) = j < OAn' ^i' ~ n — i. The termination 
analysis with classical SCA computes the transitive hull of these SCRs along the 
control flow edges of program P. In particular classical SCA computes the SCR 
a{pi)oa{p2)oa{p3) — n — i > A j' > ior the path li -^ I2 -^ h ^ h- Note 
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that classical SCA cannot establish that n — i increases every time this path is 
taken (the concatenation oi n' — i' < n — i and n' — i' > n — i in a{p2) and a(/93) 
loses all information on n — i) and therefore cannot prove the termination of P. 

B Examples 

B.l Example application of Algorithm [T] 

Let P be the program of Example [1] We want to compute the transition system 
for P|jj and hence call TransSys(P, /i). In the first foreach-loop Algorithm [T] 
calls itself recursively on the nested loop loop = {{h}, {h —^ h}) with header ^2- 
In the recursive call Algorithm [T] skips the first foreach-loop because {loop,l2) 
does not have nested loops. The second foreach-loop iterates over all cycle- 
free paths of paths^loop , I2) ■ There is only one such a path n ^ I2 — > h- 
Algorithm [1] computes %T = {i<nAi' = i + lAj'^j + lAn' = n} and 
returns 7^ as the transition system TransSys(Zoop, /2)- After the return of the 
recursive call T ~ TransSys(Zoop,Z2) Algorithm [T] size-change abstracts T by 
a(7~) = {n—i > OAn'—i' < n—iAj < j'}, computes the refiexive transitive hull in 
the abstract a{T)* = {n' - i' = n - iAj' — j,n — i > OAn' — i' < n — iAj' > j} 
and stores 'y{a{T)*) in summary[?2]- As there is no other nested loop the first 
foreach-loop is finished. The second foreach-loop iterates over all cycle-free 
paths of paths(P, li). There are two such paths tti, 7r2 as explained in Section[31 
Algorithm [1] computes 7^^ = {pi} o summary[Z2] o {^3} ^{n — i>OAii = 
i + 1 Aji ^ An' -i' ^ n - i Aj' ^ ji Aj' > 0,ii ^ i + 1 Aji =0 An-ii > 
OAn'-i' < n-iAj' > jiAj' > 0} = {false, n-i-1 > OAn' - i' < n - iAj' > 0}, 
Ttt2 — {pi} o summary[/2] o {/O4} ~{ti — i>OAii— i + lAji~OAn' — i' = 
n-ii Aj' = ji Aj' = 0,ii = i + 1 Aji =0 An-ii > An' -i' > n-ii Aj' > 
ji A j' = 0} = {n — i > A n' — i' = n — i — IAj' = 0, false} and returns 
%,LI%2 = {n-i-1 > OAn'-i' < n-iAj' > 0, n-i > OAn'-i' = n-i-lAj' = 0} 
as transition system for P\i-^. 

B.2 Example application of Algorithm [2] 

The CFG in Figure H has 5 SCCs: (h), {h), {h), (k), {h, k)- Algorithm [3] 
computes the following bounds on these SCCs: 6;^ ~ max(255 — s, 0), bi^ = 
max(s,0), 6(3 = 1, bi^ = 1, bi^^i^ = I = logc. Algorithm [5] composes these 
bounds as follows: max(w(fe;j), ^(6(2)) + 'L'nax{u{bi^),u{bi^)) + u{bi^^ig), where u 
denotes an upper bound on the value of the given expression computed by an 
invariant analysis. Assuming that the invariant analysis provides u{bi-^) = 255, 
u{bi2) = s, u{bi^) = 1, u(bi^) = 1 and u(bi^^iQ) = 2, we obtain the precise bound 
max(255, s) + 3. 

B.3 Flagship Example of [14] 

In this subsection we apply our analysis to the flagship example of a recent 
publication [M] on the bound problem (Example |4] below). On this example 
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the authors of |14| motivate control-flow refinement for bound analysis. Their 
algorithm relies on a sophisticated interplay between control-flow refinement and 
abstract interpretation. We show that our simpler technique can also handle the 
example. 

Example 4- void cyclic(int id, int maxld) { 

assume (0 <= id <= maxld); 

int tmp := id+1; 

while (tmp !=id && nondet()){ 

if (tmp <= maxld) tmp := tmp + 1; 

else tmp := 0; } } 

We assume an invariant analysis (e.g. octagon analysis) provides the invariant 
< id < maxid A tmp > at the header of the while-loop. The while-loop 
has four paths because we consider the inequality tmp ! = id as the disjunction 
tmp < idy tm,p > id. Algorithm [T] gives us the transition system T — {pi, p2, ps} 
(there is no fourth transition because < id < maxid A tmp < id A tmp > m,axid 
is unsatisfiable), where 

pi = < id < maxid A id < tmp < maxid A tmp' — tm,p + 1, 
P2 = < id < m,axid A tm,p > m,axid A tm,p' — 0, 
P3 = < id < m,axid A < tm,p < id A tm.p' = imp -I- 1. 



pi P3 

^ PI P. ^ 

h ► h >- ^3 



Fig. 4. Contextualization of Example 3] 



Contextualization gives us the CFG depicted in Figure HI which precisely 
reflects the different phases of the loop. 

The control flow graph given in Figure 2] has 3 SCCs: (h), {I2), (/s). Algo- 
rithm [3] computes the following bounds on these SCCs: bi-^ — max(maa;Jd — 
imp, 0), bi2 = 1 and bi.^ = max(?d — imp, 0). Algorithm [2] composes these bounds 
as follows: u{bi^) + u{hi^) -\- u{bi^), where u denotes an upper bound on the 
value of the given expression. Assuming that the invariant analysis provides 
u(bi^) = maxld — id, u{hi^) — 1, u{bi^) — id, we obtain the precise bound 
maxld + 1. 

C Proof of Theorem [2] 

We prove a stronger statement than the one stated in Theorem [5J for every pro- 
gram P — {L,E) and location Z e L it holds that TransSys(P, Z) is a transition 
system for P\i and that for every inner loop loop of P w.r.t. I with header header 
the transition set summary[header] is a transition invariant for loop\header (*)• 
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The stronger statement has the advantage to be inductive, whereas the state- 
ment of Theorem [5] is not. Our proof of (*) proceeds by induction on the loop 
nesting structure of programs. 

Let P = {L,E) be a program and I E L he some location. In the base 
case, there are no inner loops of P w.r.t. /. Let tt — I — > li — > ■ ■ ■ Ik — -> I G 
paths(P, /) be a path with start and end location I. Because P does not have 
inner loops w.r.t. /, n is cycle free. Thus, no location li is the header of an inner 
loop. Therefore we have ITE(lsHeader(/i), summary[Zi], {/d}) = {Id} for all i. 
Hence, 

{rel(7r)} = {pa o pi o p2 o ■ ■ ■ o pk} 

= {Po} o {Id} o {pi} o {Id} o {p2} o • • • o {Id} o {pk} 
= {pq} o ITE(lsHeader(?i), summary[Zi], {Id})o 

{pi} o ITE(lsHeader(/2), summary[/2], {Id}) o {P2} o ■ ■ ■ o 
ITE(lsHeader(4), summary[l/c], {Id}) o {p^} 

Therefore, 

y TransSys(P, Z) = (J rel(7r) 

cyclc-frcc path 7rGpaths(P,^) 

U rel(7r) - P\i 

7repaths(P,i) 

Thus TransSys(P, ^) is a transition system for P\i. 

In the inductive case, there are nested loops of P w.r.t. /. Let loop be a nested 
loop of P w.r.t. I and let header be its header. 

We show that summary[/iea(ier] is a transition invariant for loop\header- By the 
induction hypothesis we have that T — TransSys^loop, header) is a transition 
system for loop\header- Because T is a transition system for loop\header, we have 
that 7(a(7~)*) is a transition invariant for loop\header by the soundness of SCA 
as stated in Theorem [TJ With hull := 7(a(T)*) and summary[/iea(ier] :— hull, 
summary[/ieader] is a transition invariant for loop\fieader- 

By the induction hypothesis we further have that for all inner loops loop of 
loop w.r.t header with header header the transition set summary[/iea(ier ] is a 
transition invariant for loop \ header' ■ 

Thus we have that for every inner loop loop of P w.r.t. I with header header 
the transition set summary[/ieader] is a transition invariant for loop\header- 

It remains to show that TransSys(P, Z) is a transition system for P\i. It 
suffices to show that we have rel(7r) C |jTransSys(P, Z) for every path tt G 
paths(P, I). Let TT ^ I -^ li -^ ■■■ Ik -^ I e paths(P, I) be a path of P with 
start and end location /. In the following we iteratively remove iterations through 
inner loops from tt to obtain a cycle-free path. Let ii be the first index such that 
li^ appears multiple times in tt. Let loopi be the innermost loop of P w.r.t. I 
that contains k^ . Because P w.r.t. I is reducible, there is a unique loop header 
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header of loop^. Because header is a dominator for li-^ every path from I to li-^ 
must visit header before. Because loopi is the innermost loop that contains Z^^, 
every path of P that starts and ends in li-^ must visit header. Therefore tt also 
visits header multiple times. As li-^ is the first location visited multiple times 
we must have li-^ ~ header. Let j'l be the last index such that Ij-^ ~ li-^ . We 

denote by qi = 7r[ii, ji] ~ k^ — ^ hi+i — ^ — > ■ ■ ■ Iji-i — ^ Iji the subpath of tt 
from index ii to index ji. We have that qj G paths ( Zoop j^, /i^) is some iteration 
through the inner loop loopi with header li-^ . Let tti be the result of deleting 
the subpath from index ii + 1 to index j'l of tt. tti is a path because h-^ = Ij-^. 
Note that tti does not contain U-^ multiple times any more, but does contain li^ 
exactly once. We iterate this approach to derive indices i2,J2,i3,J3, ■ ■ ■ iim,jm 
and paths q2,T^2,Q3,T^3i ■ ■ ■ ,qmiT^m until tt™ does not contain a location that 
appears multiple times. By induction assumption we have that summary[Zi.] is a 
transition invariant for loopAi-, for all 1 < j < to. Thus rel(gj) C loopA^, C 

ljsummary[/i.] for all 1 < j < m. This gives us 

rel(7r) ^ po o Pi ° ■ ■ ■ ° Pk 

= Pqo pio ■ ■■ o pi^_i o pi^o ■ ■ ■ o pj^ o pj^ + i o ■■■ 

° Pi^-l ° Pi™ ° • • • ° Pj™ ° Pj„x + 1 ° ■ ■ ■ ° Pk 

= poo pio ■■■o pi^_i o rel((ji) o p^-^ + i o • • • 

o Pi^-i o rel(q„) o pj^+i o ■■■ o Pk 
^ IJ('L'°0J' ° ■L'°i} o • • • o {p^,-i} o summary[?jj o {pj,+i} o • • • 

° {Pi™-i} ° summary[?i^] o {pj„+i} o • • • o {pj,}) 
= U^'f'^oj' ° ITE(lsHeader(?i), summary[/i], {/d}) o {pi} 

o ITE(lsHeader(?2), summary[/2], {Id}) o {^2} o • • • 
o ITE(lsHeader(?fe), summary[Zfe], {/d}) o {pfc}) 

= (jTransSys(P,/). 
This concludes the proof of (*). 



27 



